On Mon, Nov 17, 2014 at 7:51 AM, dan (ddp) <[email protected]> wrote: > On Thu, Nov 13, 2014 at 10:34 AM, Chris H <[email protected]> wrote: >> Hi. It means nothing to me, but here's a section from strace -f as it fails >> again. >> > > I opened up issue #442 to track this. >
I've committed a potential fix here: https://github.com/ddpbsd/ossec-hids/commit/c6e63dabd2a2b11b5896bebbb620065dae299605 It definitely needs some testing! >> 20128 stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fff0a998c90) = -1 >> ENOENT (No such file or directory) >> 20128 sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 666, 0, NULL, 0) = >> 666 >> 20128 read(6, "", 4096) = 0 >> 20128 read(7, "", 4096) = 0 >> 20128 read(8, "", 4096) = 0 >> 20128 read(9, 0x7f3286300000, 4096) = -1 EISDIR (Is a directory) >> 20128 select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) >> 20128 stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fff0a998c90) = -1 >> ENOENT (No such file or directory) >> 20128 sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 378, 0, NULL, 0) = >> 378 >> 20128 read(6, "", 4096) = 0 >> 20128 read(7, "", 4096) = 0 >> 20128 read(8, "", 4096) = 0 >> 20128 read(9, 0x7f3286300000, 4096) = -1 EISDIR (Is a directory) >> 20128 select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) >> 20128 read(5, "104->WinEvtLog\nRule: 18149 (leve"..., 4096) = 4096 >> 20128 stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fff0a998c90) = -1 >> ENOENT (No such file or directory) >> 20128 sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 381, 0, NULL, 0) = >> 381 >> 20128 read(6, "", 4096) = 0 >> 20128 read(7, "", 4096) = 0 >> 20128 read(8, "", 4096) = 0 >> 20128 read(9, 0x7f3286300000, 4096) = -1 EISDIR (Is a directory) >> 20128 stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fff0a999720) = -1 >> ENOENT (No such file or directory) >> 20128 sendto(4, "1:ossec-keepalive:--MARK--: c$L/"..., 111, 0, NULL, 0) = >> 111 >> 20128 stat("/logs/ossec/logs/alerts/alerts.log", {st_mode=S_IFREG|0640, >> st_size=1216888277, ...}) = 0 >> 20128 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3661, ...}) = 0 >> 20128 open("/logs/ossec/ossec-agent/logs/ossec.log", >> O_WRONLY|O_CREAT|O_APPEND, 0666) = 10 >> 20128 fstat(10, {st_mode=S_IFREG|0770, st_size=41256, ...}) = 0 >> 20128 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >> 0) = 0x7f32862ff000 >> 20128 fstat(10, {st_mode=S_IFREG|0770, st_size=41256, ...}) = 0 >> 20128 lseek(10, 41256, SEEK_SET) = 41256 >> 20128 write(10, "2014/11/13 15:13:11 ossec-logcol"..., 123) = 123 >> 20128 close(10) = 0 >> 20128 munmap(0x7f32862ff000, 4096) = 0 >> 20128 close(5) = 0 >> 20128 munmap(0x7f3286304000, 4096) = 0 >> 20128 stat("/var/log/userhistory.log", {st_mode=S_IFREG|0600, st_size=0, >> ...}) = 0 >> 20128 stat("/var/log/messages", {st_mode=S_IFREG|0600, st_size=1282, ...}) = >> 0 >> 20128 stat("/var/log/secure", {st_mode=S_IFREG|0600, st_size=3183, ...}) = 0 >> 20128 stat("/var/log/audit", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0 >> >> >> On Thursday, November 13, 2014 1:53:16 PM UTC, Jeremy Rossi wrote: >>> >>> Can we try to get an strace with threads: strace -f >>> >>> > On Nov 12, 2014, at 12:52 PM, dan (ddp) <[email protected]> wrote: >>> > >>> >> On Wed, Nov 12, 2014 at 11:49 AM, dan (ddp) <[email protected]> wrote: >>> >>> On Mon, Nov 10, 2014 at 4:02 AM, Chris H <[email protected]> wrote: >>> >>> The only calls in the strace to alerts.log are these: >>> >>> >>> >>> sendto(4, "1:ossec-keepalive:--MARK--: no[;"..., 673, 0, NULL, 0) = >>> >>> 673 >>> >> >>> >> Are you sure 4 is a log file, and not the connection to the >>> >> ossec-remoted on the other end? I don't think there's enough of the >>> >> logs to really get an idea of what's going on (maybe the developers >>> >> would have more of a clue). >>> >> >>> >> I did setup a hybrid system on Centos 7 and the latest OSSEC sources, >>> >> but I'm not seeing the same issues you are. >>> > >>> > Spoke too soon, just saw it happen after about an hour of running. >>> > >>> >>> It's definitely reading it though, as it forwards the logs for a bit. >>> >>> >>> >>>> On Friday, November 7, 2014 1:00:31 PM UTC, dan (ddpbsd) wrote: >>> >>>> >>> >>>>> On Thu, Nov 6, 2014 at 9:40 AM, Chris H <[email protected]> wrote: >>> >>>>> Hi. >>> >>>>> >>> >>>>> I'm running on CentOS 6.6. >>> >>>>> >>> >>>>> I enabled debug in internal_options.conf - nothing new in the logs. >>> >>>>> strace >>> >>>>> gives this at the time that it stops reading the file. It means >>> >>>>> nothing >>> >>>>> to >>> >>>>> me, though. >>> >>>>> >>> >>>>> stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = >>> >>>>> -1 >>> >>>>> ENOENT (No such file or directory) >>> >>>>> sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 641, 0, NULL, 0) = >>> >>>>> 641 >>> >>>>> select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) >>> >>>>> stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = >>> >>>>> -1 >>> >>>>> ENOENT (No such file or directory) >>> >>>>> sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 639, 0, NULL, 0) = >>> >>>>> 639 >>> >>>>> select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) >>> >>>>> stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = >>> >>>>> -1 >>> >>>>> ENOENT (No such file or directory) >>> >>>>> sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 634, 0, NULL, 0) = >>> >>>>> 634 >>> >>>>> stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60c0390) = >>> >>>>> -1 >>> >>>>> ENOENT (No such file or directory) >>> >>>>> sendto(4, "1:ossec-keepalive:--MARK--: no[;"..., 673, 0, NULL, 0) = >>> >>>>> 673 >>> >>>>> stat("/logs/ossec/logs/alerts/alerts.log", {st_mode=S_IFREG|0640, >>> >>>>> st_size=2608807647, ...}) = 0 >>> >>>>> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3661, ...}) = >>> >>>>> 0 >>> >>>>> open("/logs/ossec/ossec-agent/logs/ossec.log", >>> >>>>> O_WRONLY|O_CREAT|O_APPEND, >>> >>>>> 0666) = 6 >>> >>>>> fstat(6, {st_mode=S_IFREG|0770, st_size=6467, ...}) = 0 >>> >>>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, >>> >>>>> -1, 0) >>> >>>>> = >>> >>>>> 0x7f718bba4000 >>> >>>>> fstat(6, {st_mode=S_IFREG|0770, st_size=6467, ...}) = 0 >>> >>>>> lseek(6, 6467, SEEK_SET) = 6467 >>> >>>>> write(6, "2014/11/06 14:28:30 ossec-logcol"..., 123) = 123 >>> >>>>> close(6) = 0 >>> >>>>> munmap(0x7f718bba4000, 4096) = 0 >>> >>>>> close(5) = 0 >>> >>>>> munmap(0x7f718bba5000, 4096) = 0 >>> >>>>> select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) >>> >>>>> select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) >>> >>>>> select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) >>> >>>>> select(0, NULL, NULL, NULL, {2, 0}^C <unfinished ...> >>> >>>> >>> >>>> I don't actually see an open of the alerts.log, or any failures (or >>> >>>> I'm missing them). >>> >>>> >>> >>>>> >>> >>>>> It seems to fail after the keepalive every time. >>> >>>>> >>> >>>>>> On Thursday, November 6, 2014 12:53:32 PM UTC, dan (ddpbsd) wrote: >>> >>>>>> >>> >>>>>>> On Thu, Nov 6, 2014 at 6:44 AM, Chris H <[email protected]> >>> >>>>>>> wrote: >>> >>>>>>> Has anyone got Hybrid working? >>> >>>>>> >>> >>>>>> I have agents that work and I have managers that work. So basically >>> >>>>>> yes. >>> >>>>>> What distro/version are you using? >>> >>>>>> Can you try strace to see if that gives you more information on >>> >>>>>> what's >>> >>>>>> going on? >>> >>>>>> Looking at the code, I think better information should be logged, >>> >>>>>> maybe try turning on debug? >>> >>>>>> >>> >>>>>>> according to lsof, nothing else seems to be accessing the files at >>> >>>>>>> the >>> >>>>>>> time >>> >>>>>>> that the agent stops processing them. >>> >>>>>>> >>> >>>>>>> I've figured out why it's looking at additional files/directories, >>> >>>>>>> it's >>> >>>>>>> pulled in the shared agent config; I'd forgotten I'd configured >>> >>>>>>> that >>> >>>>>>> :) >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> >>>>>>>> On Tuesday, November 4, 2014 3:43:43 PM UTC, Chris H wrote: >>> >>>>>>>> >>> >>>>>>>> Hi. I've set selinux to Permissive, no difference. It sends some >>> >>>>>>>> logs >>> >>>>>>>> out, in the 2 minutes before it stops processing the file. >>> >>>>>>>> >>> >>>>>>>> Thanks. >>> >>>>>>>> >>> >>>>>>>>> On Tuesday, November 4, 2014 12:56:49 PM UTC, dan (ddpbsd) >>> >>>>>>>>> wrote: >>> >>>>>>>>> >>> >>>>>>>>> On Mon, Nov 3, 2014 at 12:39 PM, Chris H <[email protected]> >>> >>>>>>>>> wrote: >>> >>>>>>>>>> Hi. I'm trying to get a hybrid server working, and seeing some >>> >>>>>>>>>> odd >>> >>>>>>>>>> behaviour. I'm running 2.8.1. >>> >>>>>>>>>> >>> >>>>>>>>>> When the agent component starts, the logs state: >>> >>>>>>>>>> >>> >>>>>>>>>> 2014/11/03 17:00:24 ossec-agentd: INFO: Started (pid: 26197). >>> >>>>>>>>>> 2014/11/03 17:00:24 ossec-agentd: INFO: Server IP Address: >>> >>>>>>>>>> 192.168.1.1 >>> >>>>>>>>>> 2014/11/03 17:00:24 ossec-agentd: INFO: Trying to connect to >>> >>>>>>>>>> server >>> >>>>>>>>>> (192.168.1.1:1514). >>> >>>>>>>>>> 2014/11/03 17:00:24 ossec-agentd: INFO: Using IPv4 for: >>> >>>>>>>>>> 192.168.1.1 >>> >>>>>>>>>> . >>> >>>>>>>>>> 2014/11/03 17:00:24 ossec-rootcheck: Rootcheck disabled. >>> >>>>>>>>>> Exiting. >>> >>>>>>>>>> 2014/11/03 17:00:24 ossec-syscheckd: WARN: Rootcheck module >>> >>>>>>>>>> disabled. >>> >>>>>>>>>> 2014/11/03 17:00:28 ossec-syscheckd: INFO: Started (pid: >>> >>>>>>>>>> 26205). >>> >>>>>>>>>> 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring >>> >>>>>>>>>> directory: >>> >>>>>>>>>> '/etc'. >>> >>>>>>>>>> 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring >>> >>>>>>>>>> directory: >>> >>>>>>>>>> '/usr/bin'. >>> >>>>>>>>>> 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring >>> >>>>>>>>>> directory: >>> >>>>>>>>>> '/usr/sbin'. >>> >>>>>>>>>> 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring >>> >>>>>>>>>> directory: >>> >>>>>>>>>> '/bin'. >>> >>>>>>>>>> 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring >>> >>>>>>>>>> directory: >>> >>>>>>>>>> '/sbin'. >>> >>>>>>>>>> 2014/11/03 17:00:30 ossec-agentd(1210): ERROR: Queue >>> >>>>>>>>>> '/queue/alerts/execq' >>> >>>>>>>>>> not accessible: 'Queue not found'. >>> >>>>>>>>>> 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing >>> >>>>>>>>>> file: >>> >>>>>>>>>> '/logs/ossec/logs/alerts/alerts.log'. >>> >>>>>>>>>> 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing >>> >>>>>>>>>> file: >>> >>>>>>>>>> '/var/log/userhistory.log'. >>> >>>>>>>>>> 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing >>> >>>>>>>>>> file: >>> >>>>>>>>>> '/var/log/messages'. >>> >>>>>>>>>> 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing >>> >>>>>>>>>> file: >>> >>>>>>>>>> '/var/log/secure'. >>> >>>>>>>>>> 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing >>> >>>>>>>>>> file: >>> >>>>>>>>>> '/var/log/audit'. >>> >>>>>>>>>> 2014/11/03 17:00:30 ossec-logcollector: INFO: Started (pid: >>> >>>>>>>>>> 26201). >>> >>>>>>>>>> 2014/11/03 17:00:45 ossec-agentd: INFO: Unable to connect to >>> >>>>>>>>>> the >>> >>>>>>>>>> active >>> >>>>>>>>>> response queue (disabled). >>> >>>>>>>>>> 2014/11/03 17:00:46 ossec-agentd(4102): INFO: Connected to the >>> >>>>>>>>>> server >>> >>>>>>>>>> (192.168.1.1:1514). >>> >>>>>>>>>> 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck >>> >>>>>>>>>> scan >>> >>>>>>>>>> (forwarding database). >>> >>>>>>>>>> 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck >>> >>>>>>>>>> database >>> >>>>>>>>>> (pre-scan). >>> >>>>>>>>>> >>> >>>>>>>>>> I don't know why it's monitoring most of those, as the >>> >>>>>>>>>> ossec.conf >>> >>>>>>>>>> for >>> >>>>>>>>>> the >>> >>>>>>>>>> agent only specifies '/logs/ossec/logs/alerts/alerts.log'. A >>> >>>>>>>>>> couple >>> >>>>>>>>>> of >>> >>>>>>>>>> minutes later, it stops parsing the alerts.log, with: >>> >>>>>>>>>> >>> >>>>>>>>>> 2014/11/03 17:02:40 ossec-logcollector(1904): INFO: File not >>> >>>>>>>>>> available, >>> >>>>>>>>>> ignoring it: '/logs/ossec/logs/alerts/alerts.log'. >>> >>>>>>>>>> >>> >>>>>>>>>> Any idea why it's stopping parsing the log file? I do have >>> >>>>>>>>>> logstash >>> >>>>>>>>>> consuming the logs too, and thought it might be that, but it >>> >>>>>>>>>> happens >>> >>>>>>>>>> even if >>> >>>>>>>>>> I disable logstash. It's happening almost exactly 2 minutes >>> >>>>>>>>>> after >>> >>>>>>>>>> the >>> >>>>>>>>>> process starts. I've tried setting the permissions on the log >>> >>>>>>>>>> file >>> >>>>>>>>>> to >>> >>>>>>>>>> 644, >>> >>>>>>>>>> too, but that makes no difference. >>> >>>>>>>>> >>> >>>>>>>>> Is SELinux or something blocking access to it? >>> >>>>>>>>> >>> >>>>>>>>>> -- >>> >>>>>>>>>> >>> >>>>>>>>>> --- >>> >>>>>>>>>> You received this message because you are subscribed to the >>> >>>>>>>>>> Google >>> >>>>>>>>>> Groups >>> >>>>>>>>>> "ossec-list" group. >>> >>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>> >>>>>>>>>> it, >>> >>>>>>>>>> send >>> >>>>>>>>>> an >>> >>>>>>>>>> email to [email protected]. >>> >>>>>>>>>> For more options, visit https://groups.google.com/d/optout. >>> >>>>>>> >>> >>>>>>> -- >>> >>>>>>> >>> >>>>>>> --- >>> >>>>>>> You received this message because you are subscribed to the Google >>> >>>>>>> Groups >>> >>>>>>> "ossec-list" group. >>> >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>> >>>>>>> send >>> >>>>>>> an >>> >>>>>>> email to [email protected]. >>> >>>>>>> For more options, visit https://groups.google.com/d/optout. >>> >>>>> >>> >>>>> -- >>> >>>>> >>> >>>>> --- >>> >>>>> You received this message because you are subscribed to the Google >>> >>>>> Groups >>> >>>>> "ossec-list" group. >>> >>>>> To unsubscribe from this group and stop receiving emails from it, >>> >>>>> send >>> >>>>> an >>> >>>>> email to [email protected]. >>> >>>>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> >>> -- >>> >>> >>> >>> --- >>> >>> You received this message because you are subscribed to the Google >>> >>> Groups >>> >>> "ossec-list" group. >>> >>> To unsubscribe from this group and stop receiving emails from it, send >>> >>> an >>> >>> email to [email protected]. >>> >>> For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
